Risk Management refers to the identifying, calculating, analyzing, and prioritizing of risks. When used here, risks mean the effect of uncertainty on objectives, as the ISO defines in its ISO 31000. These risks must then be dealt with in such a manner as to lessen the impact of them. This is done through deploying resources in order to monitor and effectively control the dangers presented by the unfortunate events. In other cases, the ultimate goal is to maximize the opportunities which are presented alongside the risk. The objective of such risk management is to make certain that this uncertainty will not interfere with or hinder the company’s or project’s goals.
Risks can arise from a variety of sourses. This includes project failure threats, financial markets’ risks, credit risk problems, legal liabilities, natural disasters or so-called acts of God, accidents, adversarial sponsored attacks, and other events which cannot be easily predicted. Such events are called “Black Swan” events. Two different kinds of negative events are classified as risky at the same time that positively occurring events are called opportunities.
The Project Management Institute, ISO, National Institute of Standards and Technology, and various actuarial societies have come together to develop a few different sets of standards for effective risk management. The difficulty comes from how vastly the definitions, methods of dealing with, and goals for handling risk management differ based on if the project is security, project management, industrial process, engineering, actuarial assessments, financial portfolios, or even public safety and health.
There are a wide range of accepted strategies for managing the various threats (defined as uncertainties that have negative consequences). These include reducing the probability or negative effects from the threat, avoiding it altogether, retaining a part of the consequences from it, transferring some or all of the risks to another third party, and trying to turn the threat into an opportunity (defined as the uncertain future benefits by risk managers).
There have been criticisms of a great number of the standards for risk management as they do not present any quantifiable way of measuring improvement of risk. One particular study identified one out of six IT projects as “Black Swans.” These showcased huge budget and time over runs. The cost over runs ran an average of 200 percent while the schedule over runs averaged 70 percent.
Dealing effectively with risk involves choosing the most appropriate counter measures to first size up and then quantify the risk. Mitigation requires the highest levels of appropriate management to approve the strategy which is most appropriate. A corporate image risk should be addressed by the highest levels of management every time. However computer virus risks and threats would be best addressed by only the IT levels of management, which already possess the authority to handle these problems on their own.
Per the ISO 27001, that next stage following completing the risk assessment phase involves coming up with the best Risk Treatment Plan. This must document the actions on how every one of the ascertained risks will be treated. Mitigating risks typically involves picking the right security controls that have to be specified under the Statement of Applicability. This sets out the specific control objectives and other controls that were chosen and why they were selected.
Whichever plan is selected for risk management, the plan must propose effective and relevant security protocols and solutions to manage said risks. As an example, computer virus risks can be effectively mitigated through buying and installing the right antivirus software. The best plans for risk management must have a schedule of times and events to be implemented as well as the individuals who bear the responsibility for getting these things done.